On Thu, 27 Jan 2005 23:29:42 +0100
Martin Husemann <martin@duskware.de> wrote:

[snip]
> Now, here is the question: does anyone know of a tool to automagically recognize
> this sequence of logs that temporarily adds the coresponding block rules to 
> ipf and expires them after, say, 24 hours?
> 
> Is there anything wrong from a security point of view with this aproach?
> It's not a protection in itself, and it's just one common attack (out of 
> hundreds, I guess). But maybe as an additional obstacle?

IMHO, it sould be done by ssh itself. The blocking should occurs in case
of login probes only, but ssh only knows, is this a probes or not. To
prevent possible DoS, it may contain a list of non-DoS IPs to avoid such
behaviour.

Another idea is block all by default and use something like port
knocking to grant access, as it was already proposed by Daniel.

--
Mishka.